GOV zone operational update: DNSSEC transition to algorithm 13

Cloudflare will start the transition of the .GOV zone to use DNSSEC signing algorithm 13 (ECDSA P-256) about a week from now.

We do not expect any action to be required by the operators of DNS resolvers or by end-users due to this change. This note is being sent as a courtesy, in the interests of operational transparency..

We plan to start the transition on May 20th, 2024. The initial step will be to include algorithm 13 signatures alongside algorithm 8 signatures in signed responses sent by the authoritative .GOV nameservers.

The transition will proceed through the following sequence of events:

1. Algorithm 13 signatures are published in addition to algorithm 8 signatures
2. Algorithm 13 DNSKEY records are published alongside the current algorithm 8 DNSKEYs
3. Algorithm 13 DS record is published in the root zone
4. Algorithm 8 DS record is removed from the root zone
5. Algorithm 8 DNSKEY records are removed
6. Algorithm 8 signatures are removed from responses

Cloudflare has been using algorithm 13 for zone signing since 2015, pioneering its use to the wider community. The widespread adoption since serves as a testament to the maturity of the resolver ecosystem's ability to recognize and validate the algorithm. Other important zones also use algorithm 13 today, such as the .COM and .NET Top-Level Domains (TLDs) that transitioned to algorithm 13 in the fourth quarter of 2023.

While we anticipate minimal operational impact for end users, we encourage you to reach out to us with any questions or reports of unexpected behavior related to the transition.

Christian Elmerot, Cloudflare